https://pulumi.com logo
Title
f

full-artist-27215

04/29/2021, 2:47 PM
I've got a bit of an ordering question. As part of my Pulumi run, I create a CloudFormation Stack. One of the things that stack creates is an IAM Role. I want to get the name of that Role using
pulumi_aws.iam.get_role
(using Python, FWIW) in order to grant it permission to access an S3 bucket. The stack creation and permission granting are currently in the initialization of a Component Resource. As I was developing my application, I started out with just the CloudFormation stack, and only later added this permission granting step. Because of this, the CloudFormation stack (and thus the Role) already existed by the time I added the
get_role
call. Now, however, I am creating a new instance of my Pulumi stack from scratch, and nothing exists. I had assumed that my
get_role
call would be fine, given that I'm using the Outputs of the CloudFormation stack, e.g.
queue_instance_role = aws.iam.get_role(
                name=self.cf_stack.outputs["InstanceRoleName"],
            )
but this apparently isn't sufficient; I'm getting the following error:
Exception: invoke of aws:iam/getRole:getRole failed: Missing required argument: The argument "name" is required, but no definition was found. ()
This is on Pulumi 2.25.2. Is there a way to force this
get_role
call to wait until the CloudFormation stack is created before being invoked? Thanks.
bump ☝️
b

bored-oyster-3147

04/30/2021, 3:10 PM
you keep using the word
Stack
- do you mean the pulumi concept of a Stack? Like is all of this occurring in one pulumi stack? Do you need to
get_role
? Is the role created further up in the stack with like:
var role = new Aws.Iam.Role("role", ...);
And if it is, is the name you want a pulumi output on that object, like
role.RoleName
? And if it isn't can you provide the role ARN on the new policy instead of the name? Since that is definitely an output.
You should (in my experience) only need to use the
get_x
methods for things that are created outside of the stack
I've always used Role ARNs without issue - so I think that would work in your case
f

full-artist-27215

04/30/2021, 3:22 PM
One of the resources in my Pulumi stack is a Cloudformation stack, the definition of which I am consuming from a 3rd party. One of the things that Cloudformation stack creates is an IAM Role. One of the Cloudformation stack outputs is the name of that role. Cloudformation outputs are exposed in Pulumi as outputs of the Cloudformation stack resource. To do additional infrastructure setup with additional Pulumi resources, I need to refer to that IAM role name. In everything else I do in Pulumi, the fact that the information is a Pulumi Output handles the necessary dependency ordering just fine. Here, that does not appear to be the case. My questions are: "_why_ is this not the case?" and "is there another way of formulating my Pulumi code to deal with this scenario?"
b

bored-oyster-3147

04/30/2021, 3:44 PM
I still don't think you should be doing
get_role
. That is why the ordering is broken. Can you link me reference for the 3rd party Cloudformation stack definition?
If not
get_role
, then what? Do I need to create a separate Pulumi stack that only brings up that Cloudformation stack, and then have the rest of my code in another Pulumi stack and make references? That could also get complicated because I actually have several instances of the Cloudformation stack that I need to work with.
b

bored-oyster-3147

04/30/2021, 3:50 PM
ok now I'm even more confused that you linked me a big yaml file. I thought you said you were using pulumi python? Is the "Cloudformation stack" part of the same pulumi stack? From your description I thought it was a ComponentResource provided by a 3rd party.
f

full-artist-27215

04/30/2021, 3:52 PM
That's the 3rd party Cloudformation stack
b

bored-oyster-3147

04/30/2021, 3:53 PM
Right - but it's YAML. So how is it part of the same pulumi stack as your python stack? can you share your python code?
b

bored-oyster-3147

04/30/2021, 3:54 PM
ok that makes sense thank you. and
cloudformation.stack.outputs
has a role name that you are using?
f

full-artist-27215

04/30/2021, 3:55 PM
Yes:
queue_instance_role = aws.iam.get_role(
    name=self.cf_stack.outputs["InstanceRoleName"],
)
b

bored-oyster-3147

04/30/2021, 3:55 PM
my question is - why do you need to get role?
when you already have the name?
f

full-artist-27215

04/30/2021, 3:59 PM
the name is generated in the stack execution, and I'd rather not have to rely on internal knowledge of how that stack executes in order to get the name elsewhere.
b

bored-oyster-3147

04/30/2021, 3:59 PM
I'm confused by that statement. Can you share the code where you are creating the S3 policy?
f

full-artist-27215

04/30/2021, 4:05 PM
Yes, I need the name of the role. I can just look into the Cloudformation stack definition and figure out how it pieces the name of that role together (as it turns out, it's not terribly complicated). While that is workable, it's only because the name (in this particular case) doesn't (currently!) include any randomly-generated content (like Pulumi does by default, with e.g. "foo-Role-abc123"). More broadly, I'm pretty sure that the role must exist in order for a RolePolicy to be attached to it, and the only way I can be sure it exists is to create the Pulumi resources that depend on that Role after that Role has been created. I was under the impression that because that name is exposed by the Cloudformation Stack as a Pulumi Output, this ordering would be taken care of by Pulumi. But it does not appear to be the case.
b

bored-oyster-3147

04/30/2021, 4:08 PM
I really need to see your code in order to help you any further man, I'm sorry. I must really be missing something because I don't understand why you cannot use the name that you have.
What is the problem with doing:
var policy = new Aws.S3.BucketPolicy("name", {
   role_name: self.cf_stack.outputs["InstanceRoleName"],
});
f

full-artist-27215

04/30/2021, 4:14 PM
I guess the answer is that
get_role
expects a
str
and not an
Output[str]
... presumably if the latter were true, this would work.
My mistake; sorry for the trouble. Thanks for the assistance 🙇
b

bored-oyster-3147

04/30/2021, 4:15 PM
well that's my question, you don't need to get the role first if you already have the information you need, right?
I thought this
<http://self.cf|self.cf>_stack.outputs["InstanceRoleName"]
was an
Output[str]
f

full-artist-27215

04/30/2021, 4:21 PM
b

bored-oyster-3147

04/30/2021, 4:22 PM
so what property do you need from the
Aws.Iam.Role
that is returned by
get_role
?
f

full-artist-27215

04/30/2021, 4:26 PM
Since it is only the name I need, I'm just going to restructure the code of the policy document to use the Cloudformation stack output directly. I had been trying to be more object-oriented in how I was writing this code, but that doesn't look like it's going to work in this case.
b

bored-oyster-3147

04/30/2021, 4:28 PM
I mean, you're not being less object-oriented by not using
get_role
I don't think.
Get_role
is just meant to be used to retrieve resources that don't belong to your stack, which is why it wasn't waiting for the role to be created.. because it assumes it exists outside your stack
Like you said this is why it doesn't take in an
Output[str]
but rather a
str
, since it isn't supposed to depend on anything in the stack